Highest Voted Questions - Reverse Engineering Stack Exchange

4

votes

1 answer

how to attach to a process as soon as it is loaded in memory

I want to attach OllyDbg or IDA to a process as soon as it is loaded in memory before a single instruction of it being executed. How do I do This??? I cant use File->Open for some reason. I can only attach to it.

asked Nov 22 '14 at 13:20

ASHUTOSH

203
3
9

4

votes

1 answer

How to find the size of an array in binary?

I'm currently learning RE and try to understand some basic c programs. I've almost figure out some concepts, but right now i've no idea how to find the size of an array when i use objdump or gdb. for example : int main(int argc, char **argv) { …

asked Nov 21 '14 at 13:00

MrHawy

143
1
3

4

votes

1 answer

Finding execution flow/calls to functions?

I have a binary and I'm interested in an high level overview of how it operates. I was trying to generate a list of functions called during a particular execution, with their hierarchy, for example f1 . f2 . f1 . f2 . f3 . f4 …

asked Nov 06 '14 at 21:38

m fran

143
5

4

votes

1 answer

.idb file suddenly grew to 16GB in size

I'm working on a certain executable to which I add additional binary files from time to time. A few hours ago, I added an additional binary file to the idb I was working on like this: The additional binary file is about 60k in size. When I next…

ida

asked Nov 05 '14 at 14:18

Sleeptime

147
1
8

4

votes

1 answer

Insert jmp detour into a compiled program

I've seen references on Stack Exchange and elsewhere to inserting detours into compiled code. My understanding is that essentially a jmp instruction is inserted and then somehow the patched program is linked with additional code that contains the…

asked Oct 16 '14 at 08:44

Praxeolitic

535
5
9

4

votes

1 answer

What is a FAT header?

Today I saw a command line option in the output of otool (this is a MacOS X program, offering similar functionality as objdump) that is named: -f -- print the fat headers So, what are the fat headers ? I tried to Google 'fat headers' and 'fat…

tools

asked Oct 01 '14 at 15:20

PaulD

433
1
4
10

4

votes

2 answers

Import functions from executable

I've injected a DLL into an existing game. I can import functions and variables like this: typedef const wchar_t* (__fastcall *get_string_t)(const char*, int, const char*, int); get_string_t real_get_string =…

asked Sep 12 '14 at 18:34

XTF

241
1
3

4

votes

1 answer

Detecting SSDT and inline hooks in kernel

I did a simple SSDT Hooks detector that iterates through all entries and checks if any address is outside the Kernel module. If so, I can even go back and using the syscall find out what function was supposed to be there. I suppose that at this…

asked Sep 10 '14 at 07:31

user3002428

327
1
13

4

votes

1 answer

Computer Malware: More complex than metamorphic?

I have read the topic on oligo-, poly- and metamorphic malware. I have done a quick google search, and it seems like the concept of metamorphic malware was already known in the DOS age and in the 1990s at 32-bit Windows (according to Hunting For…

asked Sep 07 '14 at 23:22

Laniakea

41
2

4

votes

5 answers

How to find a subroutine (or next instruction) called after returning from a (Windows) dialog box?

The dialog box is a password challenge, and I'd like to catch/trace/observe the code (hopefully the password-checking code) that gets executed right after clicking the OK button of the dialog box. I can't seem to find a way to do this in IDA. What's…

asked Jul 31 '14 at 10:42

silvernightstar

151
1
4

4

votes

1 answer

Ida Plugin Batch analysis issue.

I overcame recent issues with a redefinition and finished my Plugin. In short this plugin uses Hex-Rays Decompiler to decompile a given file, analyzes properties of the pseudocode and then appends the results to a .csv Now I tried to use this in…

asked Jul 24 '14 at 11:15

Viktor K

93
8

4

votes

1 answer

An issue when unpacking UPX

Since I love to play with the WinAPI or debugging in general, I decided to write a small unpacker for the open source PE executable packer UPX today (Windows version). In order to accomplish this, I proceeded as follow: CreateProcess API all with…

asked Jul 18 '14 at 07:34

beta

143
5

4

votes

1 answer

Modifying a binary save-data file for a video game with a CRC/Checksum check

I recently overwrote the save game file of a video game that my girlfriend and I had been playing through. After trying to recover the file a few different ways (game didn't erase but overwrote the save file), I'm resigned to trying to rebuild the…

asked Jul 10 '14 at 03:47

TroyDowling

43
1
5

4

votes

3 answers

Dumping firmware through mtdblock device

This is my first attempt at doing some reverse engineering. I'm trying to dump the filesystem off a huawei hg523a TalkTalk router. The problem is its quite limited in the amount of programs that are on the device. Below are a list of programs i can…

asked Jul 09 '14 at 09:04

Xtrato

53
1
1
4

4

votes

1 answer

Suspicious breakpoint message in ollydbg

I want to set a breakpoint and suddenly the following message appears: You want to place breakpoint outside the code section. INT3 breakpoint set on data will not execute and may have disastrous influence on the debugged program. Do you really…

ollydbg

asked Jul 09 '14 at 01:59

user3097712

1,541
1
25
44

Most Popular